BAE Systems report links Taiwan heist to North Korean LAZARUS APT

The activity of the Lazarus APT Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

The Lazarus group, tracked by the U.S. government as Hidden Cobra, seems to be behind recent attacks against U.S. defense contractors, likely in cooperation with other hacker groups.

Back to the recent attack, hackers exploited the SWIFT global financial network to steal roughly $60 million from Taiwan’s Far Eastern International Bank.

Reports of $60M being stolen are not correct, the overall amount actually stolen by the hackers were considerably lower.

The hackers transferred the money outside the island, but the bank claimed it had managed to recover most of it.

The Sri Lanka police have recently arrested two men allegedly involved in the cyberheist, the suspects are accused to have hacked into computers at a Taiwan bank and stole millions of dollars

Researchers at BAE Systems have identified some of the tools used in the cyber heist and linked them to the Lazarus‘s arsenal.

Researchers believe attackers used a piece of ransomware known as Hermes as a distraction tactic. According to researchers at McAfee, the Hermes variant used in the attack on the Taiwanese bank did not display a ransom note, a circumstance that suggests it wasn’t used for a different purpose, distraction.

“Was the ransomware used to distract the real purpose of this attack? We strongly believe so,” McAfee researchers said. “Based on our sources, the ransomware attack started in the network when the unauthorized payments were being sent.”

Lazarus operators likely used the Hermes ransomware on the bank’s network to interfere with the investigations and destroy evidence of their attack.

“The Hermes strain used on FEIB’s network did not change the infected computer’s wallpaper and didn’t leave a flashy ransom note behind, like the original Hermes note, portrayed below.” reported Bleeping computer.

“Instead, the Hermes version used in the FEIB attacks only showed a popup with the text “finish work” and left a file named “UNIQUE_ID_DO_NOT_REMOVE” in every directory.”

The Hermes samples analyzed by researchers at BAE Systems drop a ransom note in each encrypted folder.

The experts also analyzed another strain of malware used in the attack dubbed Bitsran, it is a loader used to spreads a malicious payload on the targeted network. The analysis of its code revealed the presence of hardcoded credentials for the network of the Far Eastern International Bank. The malware was likely used in a reconnaissance phase.

“Sample #2 [Bitsran] is designed to run and spread a malicious payload on the victim’s network.” states the report.

“The malware then enumerates all processes, searching for specific anti-virus processes and attempts to kill these using the command line tool taskkill.”

Other malware used by the attackers are the same used by the Lazarus group, including in attacks aimed at financial organizations in Poland and Mexico.

The malicious code contains string written in the Russian Language, but researchers believe is a false flag to deceive them.

The sample of Hermes ransomware analyzed by the experts checks the infected machine’s language settings and stopped running if use Russian, Ukrainian or Belarusian languages. This feature widely adopted by Russian and Ukrainian vxers who often avoid targeting machines in their country. However, experts speculate this could also be a false flag.

“The ransomware calls GetSystemDefaultLangID() to obtain language identifier for the system locale. It contains a list of three system language codes: 0x0419 (Russian), 0x0422 (Ukrainian), and 0x0423 (Belarusian). However, it only checks against the last two, and, if matching, the malware quits. Whether this is a false-flag or not is unknown.” states the analysis.

Below the hallmarks of the Lazarus group that were recognized by BAE experts in the attack on the Taiwanese Far Eastern International Bank:

Destination beneficiary accounts in Sri Lanka and Cambodia – both countries have been used previously as destinations for Lazarus’ bank heist activity;

Use of malware previously seen in Lazarus’ Poland and Mexico bank attacks. Where these files were found and the context of their use needs to be confirmed, but could provide a crucial attributive link;

Use of unusual ransomware, potentially as a distraction.

“Despite their continued success in getting onto payment systems in banks, the Lazarus group still struggle getting the cash in the end, with payments being reversed soon after the attacks are uncovered,” concluded BAE Systems.

“The group may be trying new tricks to disrupt victims and delay their ability to respond – such as different message formats, and the deployment of ransomware across the victim’s network as a smokescreen for their other activity. It’s likely they’ll continue their heist attempts against banks in the coming months and we expect they will evolve their modus operandi to incorporate new ways of disrupting victims (and possibly the wider community) from responding,”

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.AcceptRead More

Privacy and Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.